I don't need much security here so merely checking to see if the file exists would be enough security for me.

If you are logged in, then check your browser right now (Firebug in FireFox in especially useful for this). Your browser should be sending an Ajax request to the server, with the session id and some other info.

Unfortunately, sometimes that session file does not exist. Sometimes the Ajax in my browser keeps sending that session_id yet the file on the server is not there.

So, why is that? Does Symfony store it in the database such that the session is no longer recorded in /var/lib/php5?

My question in its simplest form: where can I look to reliably verify that a session id is real? I have to be able to do this from outside of PHP. Though the site was originally written in PHP/Symfony, my long term plan is to re-write the whole thing in Clojure. For now, this means I have to get the Clojure and PHP to sometimes share information.

UPDATE:

This just happened again. Someone's browser just sent in this session id, just a few seconds ago:

8hpvncvd7ahia95bnbe4o5wer7

I saw this session id come in via the server. And, as root, I checked for it and found nothing:

" or just check if it exists it in the session directory without using PHP."

That is the part I am having trouble with. In FireFox, I log into a site, and using FireBug I can see the Ajax calls that send my session id to the Clojure app. And at first the Clojure app can find a session file in /var/lib/php5 that matches my session id. But then later the file seems to disappear.

Regarding this problem <blockquote>...at first the Clojure app can find a session file in /var/lib/php5 that matches my session id. But then later the file seems to disappear.</blockquote> - please search in your project if you have any custom authentication related method that is calling this: $storage->regenerateID();

<blockquote>But then later the file seems to disappear</blockquote>
Strange behavior. The file is supposed to be deleted when the session_id is regenerated with, say, session_regenerate_id() (I don't know if symfony performs this internally).
So, maybe the most clean way is to implement your PHP sessions in MySQL instead of plain files (the default).

I agree that the info needs to be hidden. My goal was simply to get the app working this week. Next week I plan to switch to a more secure protocol. I don't like sending anyone's session_id over the plain wire as plain http.